Currently, we try to mitigate the potential for damage from malicious
packages by verifying the identity of our maintainers. We don't accept
anonymous software. It's a lot of work to check their identity, we are
planning to start using a commercial certification authority to help us
with this.
Note that Red Hat, Caldera, etc. are just as liable to pick up and compile
a package whose author built in a booby-trap. We are working on this problem
by establishing a standard for authors to use when signing their software,
and we will work to get authors into the PGP web of trust through our
certification authority or other means (like having a local Debian developer
check them out) so that we can trace software all the way back to the
original author.
Bruce
--
BAN KEY ESCROW. Privacy is your right!
Bruce Perens K6BP Bruce@Pixar.com 510-215-3502
Finger bruce@master.Debian.org for PGP public key.
PGP fingerprint = 88 6A 15 D0 65 D4 A3 A6 1F 89 6A 76 95 24 87 B3